The major Panama Papers breach involving millions of files that reveal a complex tax evasion system developed by the richest and most influential people in the world was not a hack, as initial reports said. It was an inside job.
A female former employee with access to the data was allegedly involved in an intimate relationship with a Mossack name partner. The relationship ended badly some time ago, and the employee exacted her revenge by going public with Mossack client lists and related data, according to local media.
The anonymous and malicious insider leaked the stolen documents to German newspaper Süddeutsche Zeitung, which shared it with the International Consortium of Investigative Journalists and this list of partners. Some 2.6T data was exposed, including offshore accounts belonging to David Cameron’s family and Vladimir Putin, as well as other top politicians from Iceland, Malta, Pakistan and Ukraine. 140 of the offshore firms named in the leaked documents are connected to public officials or politicians.
“Firms now will have to change some policies. They will be more careful about how they handle information, and they will investigate more thoroughly their clients,” a Reddit user reacted, cited by HOTforSecurity.
Last year, researchers found that some 35% of employees would sell information on company patents, financial records and customer credit card details for the right price. The survey showed that 25% of employees would sell company data, risking both their jobs and criminal convictions, for less than $8,000. About 3% would sell private information for as little as $155 while 18% would accept an offer of $1,550. Approximately 35% were open to bribes as the offer reached $77,500. However, some 65% said they wouldn’t sell data for any price.
The temptation to sell valuable information is exacerbated by the ready access most employees have to it, with 61% of respondents stating they had access to private customer data. Some 51% had access to financial data, such as company accounts or shareholder information, and 49% had access to sensitive product information, such as planned launches and patents, the authors of the study found.
Regarding attitudes toward data security, only 29% said company data was their personal responsibility and 22% said they did not feel it was their responsibility at all. Authors of the study confirmed the growing need for organizations to deploy strategies to prevent data loss and use technology to safeguard data from both malicious and inadvertent insider threats.
Moreover, internal threats came second on a list of top threat vectors found by security professionals, according to studies cited by HOTforSecurity, being named by 49% of respondents among the top three threats, followed by integration of IT into control system networks, with 46%.
To mitigate human error, an organization should start deploying security controls to monitor who has access to proprietary data. Other must-have data protection and security measures include:
- Managing and monitoring end-user privileges
- Conducting background checks on an employee’s online activity before granting privileged access
- Network segregation for better control and security
"Companies must establish strong policies and protocols and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” Bitdefender’s Bogdan Botezatu, Senior eThreat Specialist recommends. “The IT department must create policies for proper usage of the equipment, and ensure they are implemented.”
Another key element for enhanced security is to segregate access rights on grounds of necessity: employees must be able to access only those resources essential in their day-to-day activities. Only authorized personnel need access to critical and sensitive data, and only by adhering to strict security protocols and advanced authentication mechanisms. Besides two-factor authentication, even two-man authentication could be set in place for critical systems, similar to financial institutions where large transactions need to be authorized by two or more individuals.
In addition, backups should be stored only inside the company, and all data should be numbered and destroyed appropriately when no longer required. All privileges and accounts of former employees should be revoked immediately when they leave.
Former employees pose significant risks of data leakage and other vulnerabilities as long as they had access to confidential information, unknown to those outside the organization. Companies should limit any risks that they will use the information in their own interest or access data upon resignation. All passwords used to access company accounts must be changed periodically to reduce the risk of security breaches.
Some 64% of companies are uncertain where their sensitive information is, while more than half are worried about temporary worker or contractor mistakes with their data security, according to The State of Data Security Intelligence, a study by Ponemon Institute. The lack of knowledge regarding data (52%), third party or outsourced management of data (48%), and migration to new mobile platforms or cloud ecosystems (47%) are also among the top five concerns that keep IT managers up at night, the report says. Hackers, non-compliance with laws or regulations, employees’ mistakes, broken business processes and personal identity theft are also among the main concerns.
The Panama Papers leakage generated significant coverage in the past week, with more than 10,000 articles in the media. The Guardian claims that its traffic on Monday April 4, the day most stories emerged, set new records for the publisher: 10.4 million unique visitors and 35 million page views, according to internal figures, which include mobile traffic. Its normal average is 8.5 million daily unique visitors.